Problem lies here. You have denied all pages.

 <deny users="?"/>

Then Captcha will also be denied if you deny all pages. The solution is to

1. Keep all Authentication Required pages in soem folder and deny anonymous access to that folder only.

2. Or instead of controlling from Web.Config, check in Page Load of each page where you want to Authenticate Users.

protected void Page_Load(object sender, EventArgs e)
{
    if (!this.Page.User.Identity.IsAuthenticated)
    {
        FormsAuthentication.RedirectToLoginPage();
    }
}

For more details:

Validating (Check) Username and Password from database in ASP.Net